The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

First it was the American and then the Israelis and then the joint US-Israel angle and now, we have the Russians as suspected makers of Stuxnet. Now, I ask you, why not the Indians? Don’t bother to answer, it was a rhetorical question – I know the odds against it!

On a more serious note, the article linking Russians to Stuxnet does everything except link them. It goes on to provide a good old Cold War story of why the Russians would want to sabotage the Iranian nuclear program

“their companies’ profit margins will benefit as long as the Iranians keep Russian scientists and engineers in country, who can oversee Iranian nuclear progress”

and why they would rather let the American and Israelis be given the credit

“its designers wouldn’t want it traced back to the Kremlin, and so it would have to appear as if it were a clandestine operation by an adversary that didn’t have access to the gateway entry points”

It even goes on to speculate on Russian expertise

“Russian scientists and engineers are familiar with the cascading centrifuges whose numbers and configuration – and Siemen’s SCADA PLC controller schematics – they have full access to by virtue of designing the plants.”

What is missing, of course, is the tiniest shred of evidence supporting this claim or even circumstantial evidence that Russian possesses enough cyber power to carry out such a well orchestrated cyber attack.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Iran has been targeted by a second computer virus in a “cyber war” waged by its enemies, its commander of civil defense said on Monday. Gholamreza Jalali told the semi-official Mehr news agency that the new virus, called “Stars,” was being investigated by experts.

“Fortunately, our young experts have been able to discover this virus and the Stars virus is now in the laboratory for more investigations,” Jalali was quoted as saying. He did not specify the target of Stars or its intended impact.

“The particular characteristics of the Stars virus have been discovered,” Jalali said. “The virus is congruous and harmonious with the (computer) system and in the initial phase it does minor damage and might be mistaken for some executive files of government organisations.”

While it is interesting to figure out what “congruous and harmonious with the system” actually means, even more interesting is what kind of mischief someone in this position can conjure up and blame it on “clear and present danger to critical national infrastructure”. Many believe that Iran was successfully targeted by the Stuxnet worm. Given this history, how many would fault Iran if it decides to “hunt down” machines/entities that are helping spread this new virus against it? Will such a strategy be acceptable by the world at large? Would the US or China or for that matter India be able to use similar logic to implement an active defense strategy? How can the international community verify Iran’s claims?

Defense Minister AK Antony has finally made a statement on the recent cyber espionage events reported in “Shadows in the Cloud“. Please do read the response – “Hacking of Security Information“, it won’t take a lot of time. It it is a relief to actually see someone actually asking the questions at the right level and the questions are being answered. Now let us take a look at the answer (emphasis added).

certain internet facing computers were compromised by the hackers which had no sensitive defence data

While it is reassuring that the Minister thinks no sensitive data was leaked, something doesn’t add up. The report states:

“Although there is public information available on these military projects, it indicates that the attackers managed to compromise the right set of individuals that may have knowledge of these systems that is not publicly known. We recovered documents and presentations relating to the following projects:

We also found that documents relating to network centricity (SP’s Land Forces 2008) and network-centric warfare had been exfiltrated, along with documents detailing plans for intelligence fusion and technologies for monitoring and analysing network data (Defence Research and Development Organisation 2009).

That is of course just the “defence” bit. It is hard to believe that all those information on the missile systems and warfare strategy are public knowledge. Now to approach the “sensitive” non defence part of the report’s content:

We recovered one document that appears to be an encrypted diplomatic correspondence, two documents classified as “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists. In addition, they contain confidential information taken from Indian embassies regarding India’s international relations with and assessments of activities in West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence. The attackers also exfiltrated detailed personal information regarding a member of the Directorate General of Military Intelligence.

It is indeed true that none of these are defence data but it sure looks sensitive.

So, either all these exfiltrated information was public knowledge (highly unlikely) or India doesn’t consider any of these (including the missile programme details) as “sensitive defence data” or the report is wrong or of course the Minister has not been properly informed.

Pick your poison, I guess.

Services Headquarters have an information security policy and their networks are audited as per the guidelines.

In the recent days there have been a lot ofcoverage on the central government’s decision to block sale of networking equipment to domestic carriers in the country by China-based telecom hardware makers Huawei Technologies Co. and ZTE Corp. due to security concerns.

The minutes of the latest meeting of the Foreign Investment Promotion Board (FIPB) while deliberating on a case regarding Huawei clearly bear the government’s apprehension: “Huawei is a company founded by a People’s Liberation Army officer and the company has the capability to remotely manipulate the equipment it supplies to its clients”. This piece of information on the company was communicated to the FIPB by the home ministry.

In order to reduce the panic that may ensue, the officials have been trying to convey that decisions to allow/disallow use of these Chinese-made hardware are done case by case:

“There’s no blanket ban on Chinese equipment,” Gopal K. Pillai, the top bureaucrat in the Home Ministry, told reporters in New Delhi today. “We review equipment case by case.”

In a recent development, the government has also announced the formation of a regulatory body to provide “security certification at different stages for equipment brought to India by both the public and private sectors.”

Understandably some call it extreme paranoia and see these as a knee-jerk response to the recent reports of cyber espionage attributed to non-state Chinese actors, while others claim it as having something to do with the 3G license auction or do with the cheap Chinese hardware that is flooding the Indian market and drowning both Indian and western products.

One would be ill-advised to dismiss such claims completely. The suspicion that Chinese hardware may contain backdoors is neither new nor specific to Indian context. The UK government has raised question about the presence Huwaie in BT’s 21CN network backbone. This is one of the main reasons why BT has a system is in place to inspect the hardware and is able to provide consultancy service to Indian counterpart. A similar concern was also raised by the Australian government. In fact similar fears were raised by the Indian government in 2009 too.

None of these reports have any proof to show that these espionage attempts are actually taking place but given that it is easy to carry out, hard to detect and given Chinese government’s track record of engaging in active information warfare, it is a not-too-remote possibility. Given this, the steps taken by the Indian government to tackle the issue is commendable. It is also good to see follow up actions being taken in the form of setting up of a regulator rather than just banning the import/use of Chinese hardware. Given the experience that companies like BT have had in dealing with similar situations, it is also nice to see the government engaging with them to kick start the effort rather than working in isolation.

On the other hand, the lack of concrete proof of the presence of backdoor is in some ways troubling. If the various three-letter agencies have not been able to publicly state that they have discovered backdoors, nor that they have seen suspicious egress traffic, it does look more likely that there might not be any! This might mean that the “fearmongering” that Chinese companies are being subjected to may be financially motivated. After all, getting rid of cheap Chinese hardware would make the life of both Indian and western competitions a lot easier! That begs the question — why are the hardware from western manufacturers not being subjected to similar scrutiny? Do we have more trust in them than the Chinese ones? If so, what have they done to earn that trust?

A related issue is that of the involvement of BT in the regulatory process. Its involvement in the process should be made clear openly. Though they do seem to have the expertise to help the Indian counterparts, their involvement should be restricted to consultancy services and the actual testing and audit process should be implemented and conducted by Indian institutions.

And what happens to the existing hardware of Chinese origin that are used extensively by Indian companies? It is just about infeasible to decommission them. Are we going to live with it? Looks like it for the time being. In that case these devices should be subjected to rigorous scrutiny and the companies need to make sure that no information is being leaked but also also that they are working correctly.

There is enough content in these reports to provide fodder for several posts at Vyuha ranging from technical discussions on how the espionage network was run to more higher level “what have we learnt” ones. This post looks at one of the factors that allowed this episode to play out – the effectiveness of the malware attacks that were used to set the exfiltration network up.

The reports identify that the attackers used Microsoft Office (DOC, XLS, PPT) and PDF files to deliver their malwares and that the information acquisition phase before the delivery must have been involved and meticulous.

What is surprising and frustrating about the whole attack is that while the malwares were delivered using targeted effictiveness, there is no proof that they exploited any 0-day vulnerabilities in the applications and hence could have been caught and prevented from wrecking havoc on target machines. Why were the vulnerable applications not patched? Did the targeted machines have protective mechanisms in place like updated anti-virus or HIPS software installed on it? If not, why were they not? Given the fact that the information leaked from the documents exfiltrated were of sensitive nature, it can be assumed that the people operating those machines had specific clearance. Why were their working environment not secured enough? In addition were network based Intrusion Prevention/Detections Systems installed on these networks and if so, why were they not effective in preventing or even detecting these attacks?

A lot of questions with few answers. But then that has been the case with all the questions raised by the public about this incident.